Fit Leaking: When a fitbit blows your cover

JAN 29th UPDATE: As Mikko Hypponen pointed out today, Strava is not the only company that makes this kind of data available today. Suunto makes a global exercise map called Movescount available that does much the same thing. In thirty seconds of examination it is possible to find patterns of movement in military facilities. The message is clear: Fit leaking is a global problem, and it it is only the tip of the location-data-iceberg. Strava and Suunto made their maps public, and thus showed what their “God’s eye” view of human behavior looked like. Most of the companies that collect this kind of data will never make such maps public, yet the data sits on servers around the globe.

Fitness Tracking uses movement sensors, and sometimes a GPS chip, to collect information about things like distance traveled, and activity during exercise. In the aggregate, the information can also be used to determine things like urban behavior patterns.

Strava is an exercise-based social network. Users provide Strava with their exercise information, in exchange for tracking their progress, and receiving social encouragement from fellow exercisers. This provides a degree of community, opportunities to meet like-minded exercisers, and motivation to meet exercise goals. Strava also markets the information that they collect in the aggregate as a tool to help municipalities understand activities within a community. Strava shows some of what they collect in their recently published heat map, which provides a global view of fitness behavior. It also appears to contain a remarkably large amount of information that institutions are trying to keep confidential.

Introducing Fit Leaking

The information emitted from fitness trackers, even when not immediately associated with a particular individual’s real identity is highly sensitive. Even more so when viewed in the aggregate. Fitness tracker data, when combined with other publicly available information (or non public information), can be used to “out” sensitive activities, such as the location of classified facilities, diplomatic outposts, and military activity. Location emitted by fitness trackers can also link individual users to their homes and patterns of life. I’ll refer to this as Fit Leaking, which I roughly define as: when fitness activities, recorded for personal benefit emit into signals that reveal sensitive and confidential information.

Small military outpost in an unnamed denied area, exposed by a heavy exerciser jogging the perimeters and fit leaking. Coordinates removed.

Since Strava released its newest map, twitter users have quickly begun looking into areas of interest, showing how fit leaking can quickly wipe out substantial efforts taken to keep certain activities hidden.

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq

Strava’s global heat map is fascinating, and it is likely to be an effective pitch for their Metro product, which sells a version of this data to cities.

Strava’s heat map of a ‘normal’ area. Small pockets of intense activity are visible, connected by bike and running trips.

Whether or not Strava intended it, the map contains a massive set of signals about military, diplomatic, commercial, and private behavior. It will be interesting to observe whether Strava and other similar tracking-aggregators follow the inevitable path of being courted by other potential customers who have a much more invasive set of reasons for accessing it.

PAPI: Presence, Activity, Profile, Identification

The objective of this section is to highlight some of the categories of information that can be quickly identified from perusal of Strava’s heat map. The map is a series of routes associated with user activities, displayed as an overlay on a slippy map, and using basic color ramp showing rate of passage over specific area, segmented by activity type.This section will outline several examples where the simple presence of indicators from fitness trackers could provide important signals to adversaries. It is not intended to be comprehensive.

Type of Signal

Explanation

Example

Presence

In some cases, the presence of one or more individuals with trackers points to a non-public fact, such as the location of an installation.

A covert military outpost is identified by a consistent pattern of exercise activity in a remote area, or an area where there are few other users of fitness trackers.

Activity

Activity level at a sensitive installation can be ‘read’ based on volume of fitness tracker activity

Rate of activity of personnel at an embassy, or installation, can reveal important information about activities and strategy

Profile

A single fitness tracker user, or users, who regularly wear fitness trackers during their work activities can signal important information about who they are and what they are doing.

Patrol routes can be observed at a military base, or outside of a military base.

Identification

In areas of high fitness tracker use, it may be difficult to identify specific people, however in areas where fitness tracking is less common, specific residences or other locations can be used to identify individuals

Individual homes or workplaces, as well as other uniquely identifying areas can be used to associate a particular trajectory with a particular individual or small group.

Presence

While there are many global users of fitness trackers, they are not evenly distributed. Some areas of the heatmap are thus “dark,” reflecting a lack of tracker ownership, power, cellular network and so on. Yet even in those areas, pinpoints of high activity can be observed. Some of these areas may also be ‘denied’ such as Syria. Evidence of heavy activity in these very small areas can, when combined with satellite imagery, be used to identify military bases, and other covert activities. I observed that military bases often feature very high levels of concentrated physical activity. Looking for this “bright” activity in “dark” areas where conflicts were ongoing revealed a wide range of military installations that appeared to have foreigners busily exercising in them.

Stava’s heat map of an unnamed “dark” and denied area. The small dots correspond to areas that can be reasonably linked to a foreign military. The areas are not connected by movement, and likely have their own power and internet. The intensity of the areas indicates a lot of exercise in a confined space. Coordinates removed.

In an hour, I was able to use fit leaking to identify several covert and non-declared operating bases, diplomatic outposts, and possible intelligence facilities in several ongoing conflict zones in Africa and the Middle East. The same technique can also be used to identify the presence of US Military personnel within bases of friendly countries.

Small military or intelligence outpost in a denied area, exposed by a heavy exerciser with not much running area available, fit leaking. Coordinates removed.

I was able to match a flurry of activity in a base belonging to a Middle Eastern country to recent public information about investment in improving facilities at that base. The pattern of life activity also highlights the likelihood that the same western personnel are servicing aircraft, which matches with reports that the base is used to conduct drone warfare.

Since the publication of Strava’s map, many others have begun examining the data, looking for indications of the presence of previously hidden activities

Activity

Military and diplomatic personnel need to exercise, and this can be difficult in tight urban areas during a conflict. As a result, these activities are likely to create a very tight and intense hot spot of activity that does not correspond to sporting areas or other areas. In Damascus, Syria for example, we can locate the Embassy of Russia simply by looking for fit leaking outside typical areas for exercise, and focusing on the hotspot of fitness tracker activity.

Staying in shape inside the walls: Fit leaking at the Russian embassy in Damascus.

It is likely that the activity rate at the embassy across time would likely provide a further signals about the activities of personnel within the embassy. We see similar hotspots elsewhere in Damascus. For example, in the Al Assad University Hospital, we spot further evidence of enclosed fitness activity, or substantial movement.

The same exercise can be conducted for many embassies and diplomatic compounds in high risk areas around the globe.

We can also find evidence of tracker activity likely indicating shipping activity, and possibly the arrival of military personnel needing exercise, in the port of Tartus, Syria.

Sea Legs? Fit leaking of likely-Russian activities at the port in Tartus Syria.

This post is written based solely on the kinds of things that can be inferred from the use of Strava’s public heat map, which contains partially anonymized information, and does not have a time dimension. Access to the same information in a more real time basis, either with the consent of companies like Strava, or via techniques such as network monitoring, could be expected to provide an even more granular picture of sensitive activities, and thus result in even more potential risk and harm.

Profile

Fitness trackers may also record activity that reveals sensitive information about specific activities that range beyond fitness. For example, fitness tracking logs show apparent sentry or patrol activities in a base located in Western Syria. In this case, the fit leaking has revealed a regular pattern around what appears to be a munitions storage area.

Pattern of life at a munitions depot in Syria

By examining fit leaking at other non-recreational areas for a high level of activity, we find additional signs of activityat military bases in Syria. In this case, at an airbase.

Activity pattern in a Syrian airbase, likely by Russian military.

In outposts and undeclared facilities throughout Syria belonging to both Russian and NATO forces, fit leaking reveals individuals’ routes from bases to other locations, shows evidence of regular patrols, and provides a window into other sensitive activities. Such information could be used in the planning of military strikes, or even plant roadside bombs.

Fit leaking revealing patterns of life on an airbase. Coordinates removed.

As twitter users have pointed out over the last day, this kind of activity is visible everywhere. Such patterns are widely visible across military bases, including non-declared military bases in areas of the Middle East and Africa. The granularity of the activity is such that individuals can be seen regularly moving between buildings within a base in some cases, indicating clear information about patterns of life for specific individuals with specific tasks, such as aircraft maintenance and flight support.

Identification

In low fitness-tracker density areas, it is possible to use fit leaking to identify individual routes, and link them to specific high value locations, such as between residential areas and embassies. I am choosing not to include any examples, however they are not difficult to find, and they may already be appearing on Twitter.

Conceivably, when combined with other information, it may be possible to localize diplomats, intelligence officers, VIPs and other at risk individuals by following the routes displayed from sensitive facilities to residences, hotels, and other areas.

Additional Areas of Concern

Many workplaces (and some insurers) encourage the use of fitness tracking to promote health. However, fit leaking can expose information that is business confidential, or highly valuable to competitors. There is a constant pressure to develop new forms of business intelligence that track hard-to-hide business data, like using satellites to count cars in factory parking lots, or measure the size of coal piles. What is remarkable about fit leaking is that the data is intentionally emitted, albeit without awareness of the implications of publishing it.

Commercial Espionage Risks

Examination of the heat map makes it clear that fitness trackers are also carried by individuals undertaking a wide range of commercial activities, from fishing to oil and gas exploration and exploitation, mining, and manufacturing. In some cases, the map actually reveals patterns taken by fishing boats, dredging equipment, and open-air equipment, to name a few. This kind of information is valuable, and some of these industries are already heavily scrutinized by competitors and investors seeking estimates of production rate, resources, oil and gas exploration, etc.

Individual & Family Privacy

I have been able to locate individual routes in rural areas, even with the resolution limitations available in Strava’s public heat map. For example, I was able to find a Californian individual’s jogging paths beginning from their front door of a house, and following a regular circuit. I was also able to identify individual trips from a home to other locations. In the hands of an informed party, such as a stalker, or an individual engaged in intimate partner violence, such information could conceivably lead to harm. The same concern holds for regions where there is a high risk of kidnapping.

I found cases where schools and other educational areas were included in the take. In some rural areas it may be possible, simply with access to the Strava interface, to trace routes taken between schools and individuals’ homes, as well as other information, such as the exercise habits of likely minors (as implied by use of a school track, for example, or a playground). While Strava explicitly states that the service is not intended for those under 13, it would be interesting to know what safeguards, if any, are used to prevent the data of minors from being included.

Addressing the Fit Leaking Risk

Fit leaking is a new kind of operational security risk, and it slipped under the radar of many organizations that are highly concerned about secrecy. Militaries, intelligence agencies, and diplomats take many costly steps to shield certain activities from surveillance. Clearly, however, these entities did not realize that some of their personnel may have been unintentionally eroding these efforts via fit leaking.

Strava runs an incentive system that encourages us to turn over personal information in exchange for social rewards. This landed Strava a tremendous amount of information. Now, they are monetizing it. For the Strava users who have already provided the company with their data, it is probably too late to take any of it back.

While Strava provides users some control over privacy zones (where data is not recorded), this case illustrates the extent to which all individuals in a large user base cannot be expected to take full advantage of privacy settings available to them when they are presented as opt-outs.

Rosie Spinks, writing last August, pointed to the concern about how Strava users might inadvertently reveal more than they intended.

“…the multi-layered, opt-out heavy, and rather unclear nature of their settings still seems like a problem.”

Spinks was speaking to concerns about unwanted attention women could experience from other users on Strava’s social network. Her observation about privacy, however, could not be more relevant. Even some of the most highly privacy conscious individuals, such as military personnel operating in denied areas, have not effectively implemented these privacy settings. This suggests that Strava’s model of privacy is not working in practice to prevent a global epidemic of fit leaking.

What to do?

Organizations concerned about operational security should probably consider taking urgent measures to halt further fit leaking from sensitive government and commercial activities, which might include policies against the use of location-enabled fitness trackers in work areas, limiting the network traffic of apps like Strava, banning them from official devices, and educating personnel about the risks that fit leaking poses.

While some may be tempted to ask Strava to remove access to take heat map down, it is unclear whether this would realistically mitigate the impact of the fit leaking. Certain facilities and activities have now been outed (if they were not already known to some well-resourced adversaries). Given the secrecy surrounding some of these activities, however, we may know whether this new ‘outing’ has caused any additional harm.